How to use sudo/nm-applet in qubes 4.0 in fedora-2X-minimal
schnuren...@gmail.com
So far, as written in qubes documentation->fedora-minimal, I installed the networking related packages to let the template act as a minimal-networking-stuff-template. But nm-applet is not authorized to control.
And here we stops, because it seems that qubes-core-agent-passwordless-root and/or polkit is always necessary. (?)
But because of a choice of design in Qubes 4.0, it is not installed as default. Whereas qubes-core-agent-systemd and qubes-core-agent-qrexec are installed by default as written in the documentation.
What is the mind behind this choice? Just asking out of sheer curiosity.
The package polkit depends on spidermonkey javascript stuff (mozjs52 package). 6.5MB of not relevant stuff for just an networking VM. Because it works except the nm-applet authorization thingy.
"nmcli general permissions" gave me a timeout as fedora-minimal AppVM user.
Can I get around this by adding the user to a specific group to get the rights to use nm-applet as an user? A search gave me answers to a nm-applet bug in 2015: https://mail.gnome.org/archives/networkmanager-list/2015-January/msg00033.html
There is a hint that NM uses polkit and/or systemd. But only polkit is not installed (I guess). An advice someone wrote in the link:
"Alternatively, if you don't care about user permissions and want to
allow any user to control networking you can build NM with
--with-session-tracking=none and --with-polkit=no to disable this
functionality."
I guess, this would be a workaround to get the minimal networking VM to fully work, am I correct?
This should be the same behavior as qubes' passwordless-root just for NM and with less packages - or is this way intending that anyone (even nobody-user, if existing) could handle NM but do not get any other root files like write to /rw/ in the NetVM and is therefor less "secure" than user-polkit-passwordless-root installation and interaction!?
